Full Report
Fortinet has patched a critical security flaw that it said has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. "A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to
Analysis Summary
Based on the provided context, here is the structured vulnerability summary:
# Vulnerability: Critical Zero-Day RCE in Multiple Fortinet Products via Stack Overflow
## CVE Details
- CVE ID: CVE-2025-32756
- CVSS Score: 9.6 (Critical)
- CWE: CWE-121 (Stack-based buffer overflow)
## Affected Systems
- Products: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera
- Versions:
- **FortiCamera:** 1.1, 2.0; 2.1.x (< 2.1.4)
- **FortiMail:** 7.0.x (< 7.0.9); 7.2.x (< 7.2.8); 7.4.x (< 7.4.5); 7.6.x (< 7.6.3)
- **FortiNDR:** 1.1, 1.2, 1.3, 1.4, 1.5, 7.1; 7.0.x (< 7.0.7); 7.2.x (< 7.2.5); 7.4.x (< 7.4.8); 7.6.x (< 7.6.1)
- **FortiRecorder:** 6.4.x (< 6.4.6); 7.0.x (< 7.0.6); 7.2.x (< 7.2.4)
- **FortiVoice:** 6.4.x (< 6.4.11); 7.0.x (< 7.0.7); 7.2.x (< 7.2.1)
- Configurations: Affects devices with the HTTP/HTTPS administrative interface accessible.
## Vulnerability Description
A critical stack-based overflow vulnerability exists in multiple Fortinet products. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted HTTP requests to execute arbitrary code or commands on the affected system.
## Exploitation
- Status: Exploited in the wild (Observed on FortiVoice systems)
- Complexity: Not explicitly stated, but RCE (Remote Code Execution) flaws are typically High complexity to develop reliable exploits, though the exploit success could be deemed Low given the active exploitation.
- Attack Vector: Network (via crafted HTTP requests)
## Impact
- Confidentiality: High (Ability to execute arbitrary code implies potential data theft)
- Integrity: High (Ability to execute arbitrary code implies system manipulation)
- Availability: High (Ability to execute arbitrary code implies potential denial of service or system takeover)
*Note on observed attacker activity*: Threat actors were observed scanning networks, erasing system crash logs, and enabling fcgi debugging to log credentials from system or SSH login attempts.
## Remediation
### Patches
Users must upgrade to the following fixed versions or higher as specified in the advisory:
- **FortiCamera:** Upgrade to 2.1.4 or above (Migrate 1.1, 2.0)
- **FortiMail:** Upgrade to 7.0.9, 7.2.8, 7.4.5, 7.6.3 or above
- **FortiNDR:** Upgrade to 7.0.7, 7.2.5, 7.4.8, 7.6.1 or above (Migrate 1.1 - 1.5, 7.1)
- **FortiRecorder:** Upgrade to 6.4.6, 7.0.6, 7.2.4 or above
- **FortiVoice:** Upgrade to 6.4.11, 7.0.7, 7.2.1 or above
### Workarounds
- If immediate patching is not possible, administrators are advised to **disable the HTTP/HTTPS administrative interface** on affected devices.
## Detection
- Indicators of compromise observed include: Device network scans, erasure of system crash logs, and the enabling of `fcgi` debugging to capture credentials.
- Detection methods would involve monitoring for anomalous administrative access attempts, unexpected configuration changes, or suspicious HTTP/HTTPS requests targeted at the administrative interfaces.
## References
- Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-254